1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/dcl2crd: "true"
23 cnrm.cloud.google.com/managed-by-kcc: "true"
24 cnrm.cloud.google.com/stability-level: stable
25 cnrm.cloud.google.com/system: "true"
26 name: binaryauthorizationattestors.binaryauthorization.cnrm.cloud.google.com
27spec:
28 group: binaryauthorization.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: BinaryAuthorizationAttestor
33 plural: binaryauthorizationattestors
34 shortNames:
35 - gcpbinaryauthorizationattestor
36 - gcpbinaryauthorizationattestors
37 singular: binaryauthorizationattestor
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 description:
75 description: Optional. A descriptive comment. This field may be updated.
76 The field may be displayed in chooser dialogs.
77 type: string
78 projectRef:
79 description: Immutable. The Project that this resource belongs to.
80 oneOf:
81 - not:
82 required:
83 - external
84 required:
85 - name
86 - not:
87 anyOf:
88 - required:
89 - name
90 - required:
91 - namespace
92 required:
93 - external
94 properties:
95 external:
96 description: |-
97 The project for the resource
98
99 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
100 type: string
101 name:
102 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
103 type: string
104 namespace:
105 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
106 type: string
107 type: object
108 resourceID:
109 description: Immutable. Optional. The name of the resource. Used for
110 creation and acquisition. When unset, the value of `metadata.name`
111 is used as the default.
112 type: string
113 userOwnedDrydockNote:
114 description: This specifies how an attestation will be read, and how
115 it will be used during policy enforcement.
116 properties:
117 noteRef:
118 description: Immutable.
119 oneOf:
120 - not:
121 required:
122 - external
123 required:
124 - name
125 - not:
126 anyOf:
127 - required:
128 - name
129 - required:
130 - namespace
131 required:
132 - external
133 properties:
134 external:
135 description: |-
136 Required. The Drydock resource name of a Attestation. Authority Note, created by the user, in the format: `projects/*/notes/*`. This field may not be updated. An attestation by this attestor is stored as a Grafeas Attestation. Authority Occurrence that names a container image and that links to this Note. Grafeas is an external dependency.
137
138 Allowed value: The Google Cloud resource name of a `ContainerAnalysisNote` resource (format: `projects/{{project}}/notes/{{name}}`).
139 type: string
140 name:
141 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
142 type: string
143 namespace:
144 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
145 type: string
146 type: object
147 publicKeys:
148 description: Optional. Public keys that verify attestations signed
149 by this attestor. This field may be updated. If this field is
150 non-empty, one of the specified public keys must verify that
151 an attestation was signed by this attestor for the image specified
152 in the admission request. If this field is empty, this attestor
153 always returns that no valid attestations exist.
154 items:
155 properties:
156 asciiArmoredPgpPublicKey:
157 description: ASCII-armored representation of a PGP public
158 key, as the entire output by the command `gpg --export
159 --armor foo@example.com` (either LF or CRLF line endings).
160 When using this field, `id` should be left blank. The
161 BinAuthz API handlers will calculate the ID and fill it
162 in automatically. BinAuthz computes this ID as the OpenPGP
163 RFC4880 V4 fingerprint, represented as upper-case hex.
164 If `id` is provided by the caller, it will be overwritten
165 by the API-calculated ID.
166 type: string
167 comment:
168 description: Optional. A descriptive comment. This field
169 may be updated.
170 type: string
171 id:
172 description: The ID of this public key. Signatures verified
173 by BinAuthz must include the ID of the public key that
174 can be used to verify them, and that ID must match the
175 contents of this field exactly. Additional restrictions
176 on this field can be imposed based on which public key
177 type is encapsulated. See the documentation on `public_key`
178 cases below for details.
179 type: string
180 pkixPublicKey:
181 description: 'A raw PKIX SubjectPublicKeyInfo format public
182 key. NOTE: `id` may be explicitly provided by the caller
183 when using this type of public key, but it MUST be a valid
184 RFC3986 URI. If `id` is left blank, a default one will
185 be computed based on the digest of the DER encoding of
186 the public key.'
187 properties:
188 publicKeyPem:
189 description: A PEM-encoded public key, as described
190 in https://tools.ietf.org/html/rfc7468#section-13
191 type: string
192 signatureAlgorithm:
193 description: 'The signature algorithm used to verify
194 a message against a signature using this key. These
195 signature algorithm must match the structure and any
196 object identifiers encoded in `public_key_pem` (i.e.
197 this algorithm must match that of the public key).
198 Possible values: SIGNATURE_ALGORITHM_UNSPECIFIED,
199 RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256,
200 RSA_PSS_4096_SHA512, RSA_SIGN_PKCS1_2048_SHA256, RSA_SIGN_PKCS1_3072_SHA256,
201 RSA_SIGN_PKCS1_4096_SHA256, RSA_SIGN_PKCS1_4096_SHA512,
202 ECDSA_P256_SHA256, EC_SIGN_P256_SHA256, ECDSA_P384_SHA384,
203 EC_SIGN_P384_SHA384, ECDSA_P521_SHA512, EC_SIGN_P521_SHA512'
204 type: string
205 type: object
206 type: object
207 type: array
208 required:
209 - noteRef
210 type: object
211 required:
212 - projectRef
213 type: object
214 status:
215 properties:
216 conditions:
217 description: Conditions represent the latest available observation
218 of the resource's current state.
219 items:
220 properties:
221 lastTransitionTime:
222 description: Last time the condition transitioned from one status
223 to another.
224 type: string
225 message:
226 description: Human-readable message indicating details about
227 last transition.
228 type: string
229 reason:
230 description: Unique, one-word, CamelCase reason for the condition's
231 last transition.
232 type: string
233 status:
234 description: Status is the status of the condition. Can be True,
235 False, Unknown.
236 type: string
237 type:
238 description: Type is the type of the condition.
239 type: string
240 type: object
241 type: array
242 observedGeneration:
243 description: ObservedGeneration is the generation of the resource
244 that was most recently observed by the Config Connector controller.
245 If this is equal to metadata.generation, then that means that the
246 current reported status reflects the most recent desired state of
247 the resource.
248 type: integer
249 updateTime:
250 description: Output only. Time when the attestor was last updated.
251 format: date-time
252 type: string
253 userOwnedDrydockNote:
254 properties:
255 delegationServiceAccountEmail:
256 description: Output only. This field will contain the service
257 account email address that this Attestor will use as the principal
258 when querying Container Analysis. Attestor administrators must
259 grant this service account the IAM role needed to read attestations
260 from the in Container Analysis (`containeranalysis.notes.occurrences.viewer`).
261 This email address is fixed for the lifetime of the Attestor,
262 but callers should not make any other assumptions about the
263 service account email; future versions may use an email based
264 on a different naming pattern.
265 type: string
266 type: object
267 type: object
268 required:
269 - spec
270 type: object
271 served: true
272 storage: true
273 subresources:
274 status: {}
275status:
276 acceptedNames:
277 kind: ""
278 plural: ""
279 conditions: []
280 storedVersions: []
View as plain text